FreeBSD -- amd64 swapgs local privilege escalation

Affected systems

6.3

<

FreeBSD

<

6.3_4

7.0

<

FreeBSD

<

7.0_4

Details

VuXML ID

6d4e4759-7b67-11dd-80ba-000bcdf0a03b

Discovery

2008-09-03

Entry

2008-09-05

Problem Description:

If a General Protection Fault happens on a FreeBSD/amd64
system while it is returning from an interrupt, trap or
system call, the swapgs CPU instruction may be called one
extra time when it should not resulting in userland and
kernel state being mixed.

Impact:

A local attacker can by causing a General Protection Fault
while the kernel is returning from an interrupt, trap or
system call while manipulating stack frames and, run
arbitrary code with kernel privileges.

The vulnerability can be used to gain kernel / supervisor
privilege. This can for example be used by normal users to
gain root privileges, to break out of jails, or bypass
Mandatory Access Control (MAC) restrictions.

Workaround:

No workaround is available, but only systems running the 64
bit FreeBSD/amd64 kernels are vulnerable.

Systems with 64 bit capable CPUs, but running the 32 bit
FreeBSD/i386 kernel are not vulnerable.